Re: [Hipsec] Ben Campbell's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
Ben Campbell <ben@nostrum.com> Thu, 20 February 2020 23:19 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82EE21200FF; Thu, 20 Feb 2020 15:19:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.163
X-Spam-Level:
X-Spam-Status: No, score=-0.163 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, MAY_BE_FORGED=1.116, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obq6lbh65oOI; Thu, 20 Feb 2020 15:19:11 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 949C9120273; Thu, 20 Feb 2020 15:19:11 -0800 (PST)
Received: from [192.168.127.239] (mta-70-120-123-175.stx.rr.com [70.120.123.175] (may be forged)) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id 01KNJ4Yq021176 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 20 Feb 2020 17:19:05 -0600 (CST) (envelope-from ben@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1582240747; bh=4rFleGdA9tc9N7yI3DDyQMa5Ox6fcWp3Cw7tiSIw2z8=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=ku8Q8N8UhI9P/RPl2oYsor3s5Gmpw7JXIjhT6d/gAZPtfV/Il46uoASnnvJyF6TKe nvwlWVv/keIvn3BHF8mpH2VoRxxWE7OJ0Ty+BTr6DcVD+OMM+NMcXuXuSUQ0y/UZTk Ni8YIv2QrLzs74Ka29taCQjLL9ONcPBpyo7FF5tM=
X-Authentication-Warning: raven.nostrum.com: Host mta-70-120-123-175.stx.rr.com [70.120.123.175] (may be forged) claimed to be [192.168.127.239]
From: Ben Campbell <ben@nostrum.com>
Message-Id: <68B28C7A-8CD9-44AC-8AC7-3B29C948D7B3@nostrum.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_C39E3FAF-2212-40BD-9DD5-3FBAEEBBCD62"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Date: Thu, 20 Feb 2020 17:18:58 -0600
In-Reply-To: <3ac040a545036ed86f5db5bcfd9e50a7de41ac61.camel@ericsson.com>
Cc: "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-hip-native-nat-traversal@ietf.org" <draft-ietf-hip-native-nat-traversal@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "hipsec@ietf.org" <hipsec@ietf.org>
To: Miika Komu <miika.komu@ericsson.com>
References: <152591791834.10400.6957331555512925079.idtracker@ietfa.amsl.com> <3ac040a545036ed86f5db5bcfd9e50a7de41ac61.camel@ericsson.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/fwWQLNuPh8gA8A-JBhq8kmHpXcs>
Subject: Re: [Hipsec] Ben Campbell's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2020 23:19:15 -0000
Hi, I am no longer an area director. I leave it to the current area directors to decide how to proceed with the updated version. Thanks, Ben. > On Feb 19, 2020, at 2:43 PM, Miika Komu <miika.komu@ericsson.com> wrote: > > Hi Ben, > > thanks for your comments! My response below. > > ke, 2018-05-09 kello 19:05 -0700, Ben Campbell kirjoitti: >> Ben Campbell has entered the following ballot position for >> draft-ietf-hip-native-nat-traversal-28: Abstain >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut >> this >> introductory paragraph, however.) >> >> >> Please refer to >> https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-hip-native-nat-traversal/ >> >> >> >> ------------------------------------------------------------------- >> --- >> COMMENT: >> ------------------------------------------------------------------- >> --- >> >> I support all points of Ekr's discuss and comment points. I think >> this either >> needs to use ICE mostly as is (maybe with some minor profiling) or it >> needs to >> be self-contained here. I understand the material in appendix B, but >> the >> current mix seems untenable for implementors. Therefore I am >> balloting >> "abstain". I will reconsider that position if there is a substantial >> reorganization. > > the current document has been organized for implementors of RFC5770 in > mind. > >> Substantive Comments: >> >> I share Alissa's question about why this is standard track when the >> previous >> work has been experimental. > > HIP WG decided to move all of its experimental work to standards track. > >> §1, second paragraph: The citation for the version of ICE used by >> "legacy >> ICE-HIP" should be RFC5245, not the bis version. > > thanks, corrected. > >> §2: There are a number of lower-case keywords. Please use the RFC >> 8174 >> boilerplate. > > boilerplate added. Please comment some specific lower-case keyword is > incorrect in your opinion. > >> §4.2: >> - paragraph 5: Is everything in this paragraph from the ICE >> specification? I >> suspect not, but it's hard to tease out what is from ICE and what is >> new >> specification. It would be helpful to reference the ICE bits by >> section number. > > it is either adapted from ICE (by e.g. changing "agent" to "host" or > referencing the ICE spec (by sections). Based on the earlier reviews, > the text has evolved now into the following: > > The rules in section 5.1.1 in [RFC8445] for candidate gathering > are followed here. A number of host candidates (loopback, anycast > and others) should be excluded as described in section 5.1.1.1 of the > ICE specification [RFC8445]. Relayed candidates SHOULD be gathered > in order to guarantee successful NAT traversal, and > implementations SHOULD support this functionality even if it will not > be used in deployments in order to enable it by software > configuration update if needed at some point. Similarly as explained > in section 5.1.1.2 of the ICE specification [RFC8445], if an IPv6- > only host is in a network that utilizes NAT64 [RFC6146] and DNS64 > [RFC6147] technologies, it may also gather IPv4 server- reflexive > and/or relayed candidates from IPv4-only Control or Data Relay > Servers. IPv6-only hosts SHOULD also utilize IPv6 prefix discovery > [RFC7050] to discover the IPv6 prefix used by NAT64 (if any) and > generate server-reflexive candidates for each IPv6-only interface, > accordingly. The NAT64 server-reflexive candidates are prioritized > like IPv4 server-reflexive candidates. > >> - paragraph 6: I'm confused in that I thought the previous text said >> that >> native ICE-HIP does not use STUN. > > you mean paragraph 7? > > Gathering of candidates MAY also be performed by other means than > described in this section. For example, the candidates could be > gathered as specified in Section 4.2 of [RFC5770] if STUN servers > are available, or if the host has just a single interface and no > STUN or Data Relay Server are available. > > Nothing prevents an implementation from gathering candidates via STUN > but the recommended way is HIP control Relay as the "MAY" indicates > here. > >> §6: I am skeptical of the assertion that the security considerations >> for Native >> ICE-HIP are no different than those for Legacy ICE-HIP. > > I have changed this now to a more precise statement: > > Since the control plane protocol and Control Relay Server are > essentially the same (with some minor differences) in this document > as in Legacy ICE-HIP [RFC5770], the same security considerations (in > Section 6.1, Section 6.2, Section 6.3 and Section 6.4,) are still > valid, but are repeated here for the sake of completeness. New > security considerations related to the new Data Relay Server are > discussed in Section 6.5, and considerations related to the new > connectivity check protocol are discussed in Section 6.6 and > Section 6.7 . > >> Editorial Comments: >> >> §1, 2nd paragraph: >> - "responsible of NAT traversal": s/of/to >> - "responsible of end-host": s/of/to > > I changed to "for", I assume that would do the trick as well > >> §4.3: "This section describes the usage of a new non-critical >> parameter type. >> ": Which is? > > It says now: > > This section describes the usage of a non-critical parameter type > called NAT_TRAVERSAL_MODE with a new mode called ICE-HIP-UDP. > >> §4.6, first paragraph: 2nd sentence is hard to parse. > > I reworded this as follows: > > The address of the Control Relay Server MUST NOT be used as a > destination for data plane traffic unless the server supports also Data > Relay Server functionality, and the Client has successfully registered > to use it.
- [Hipsec] Ben Campbell's Abstain on draft-ietf-hip… Ben Campbell
- Re: [Hipsec] Ben Campbell's Abstain on draft-ietf… Miika Komu
- Re: [Hipsec] Ben Campbell's Abstain on draft-ietf… Ben Campbell
- Re: [Hipsec] Ben Campbell's Abstain on draft-ietf… Eric Vyncke (evyncke)